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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


. More examples, such as guidance on call transcription requests. 

. In terms of requesters being unable to access their data on the media provided, does this 
impact compliance with the one calendar month timescale? For example, data is provided 
within the one month timescale, but the data subject responds that they cannot access the 
media. If the data is resent on alternative media, does this impact the timescale? Is the 
receipt of the data (albeit un-accessed) classed as the fulfillment, or is the requester 
accessing the data classed as the fulfillment date? 

B. GDPR states “commonly used electronic format”. In itself, this is vague and ill-defined, the 
draft gives: “You may choose the format, unless the requester makes a reasonable 
request for you to provide it in another commonly used format (electronic or 
otherwise).” Requesters often argue that data discs are not a commonly used format 


after receipt. What is the definition of a reasonable request? Paper copies cannot be 
encrypted, and call transcriptions are an unreliable copy of actual data. Could there be 
examples of reasonable requests given? 


f the SAR is submitted by other means (eg by letter or verbally) you can provide a 
copy in any commonly used format (electronic or otherwise), unless the 
requester makes a reasonable request for you to provide it in another commonly 
used format. Again, what defines a reasonable request in this scenario? A request may 
be reasonable if the subject does not have a computer, but paper copies of personal data 
cannot be encrypted. 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
x No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


There is nothing that covers the transcription of call recordings. A valid viewpoint is that a 
transcription is not the exact data; it is a copy of it, in a changed format, prone to errors 
via mishearing, typing errors, and it omits tone and other communication cues explicit in 
audio recordings. 

Where a requester asks for transcripts only, there is no relevant guidance. We wouldn’t 
expect a deaf requester asking for recorded calls to be transcribed, so there’s no 
reasonable adjustment, as there would be no calls (due to the requester being deaf). Is 
the work required to transcribe hours of calls expected to be covered under the standard 
processing of a SAR? What guidance is available concerning the possible corruption of 
data when transcribing audio? For businesses with call centres and call recording 
functionality this is a very pertinent issue. 


“When is a request complex? 

Whether a request is complex depends upon the specific circumstances of each 
case. What may be complex for one controller may not be for another — the size 
and resources of an organisation are likely to be relevant factors.” 


Although it is understood that the term ‘complex’ can cover a wide area, previous ICO 
guidance has stated that call transcripts must be provided when asked for. Given the 
resources in both time and agent cost per hour to satisfy the request for this specific 
information, can this be classed as a complex request? 

Does the act of transcription class as an administrative cost, or is it seen as merely 
dealing with the request? If photocopying, printing and postage are classed as 
administrative costs, surely the significant time taken to change data medium should be? 


Reasonable Adjustment 


In terms of reasonable adjustment, requests for written call transcripts have been 
requested under this umbrella. The reason given is no ownership of a computer to access 
a commonly used electronic format (USB/Data disc). Does this qualify as a reasonable 
adjustment? It does not class as a disability nor fall within the scope of anything else 
similar. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
No 
Unsure/don’t know 


If no or unsure/don't know, please provide any examples that think 
should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Telecommunications provider example: 

The requester stated that they had no computer so could not access a commonly used 
electronic format - Data CD and USB. This requester had asked for call transcripts in 
printed form as a reasonable adjustment, though on later calls they stated they had a 
computer and access to it. The caller made multiple calls on a weekly basis and also 
stated that were we to pay him a set sum of money he would not require the SAR. This 
requester made SARs for call transcripts every two months. The requester submitted a 
complaint to the ICO referring to an initial refusal to transcribe calls due to the time and 
effort required when it was the company’s opinion that the requests were only placed 
(with an offer to withdraw) as bargaining for financial settlement. The customer used ADR 
mediation and did not submit any of the call transcripts that were provided. Direct 
communication at the time between the ICO and the company’s DPO stated we had to 
comply with the request to transcribe, despite our insistence that this request was 
manifestly unfounded and that we had proof of such. We informed the requester that 
there would be an administrative fee to cover the many hours of work required to 
transcribe calls, and the requester contacted the ICO who stated this fee could not be 
levied (see Q3). 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O [1 


Q6 Why have you given this score? 


Relevant issues that we would require guidance on as a data controller are still either 
quite vague or missing entirely (as detailed in the free text fields above). Direct 
communication with the ICO has often given contradictory advice. The advice has often 
varied given the ICO case handler providing it and there has been a lack of consistency in 


responses. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O O Xl O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

Kl On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Plusnet Plc 


What sector are you from: 


Telecommunications 


Q10 How did you find out about this survey? 


O ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


OODOODODCDORX X X 


Thank you for taking the time to complete the survey. 


